Scroll Top

WP Security: 6 plugin vulnerabilities in February 2019


WP Security bulletin – February 2019

At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 6 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).

  • NextGen Gallery
    • Authenticated PHP Object Injection reported by Slavco (@mslavco). Legacy serialization handling allows unserialize of user input for low privileged users, leading to RCE.
      • WP Security recommendation: immediately upgrade to version 3.1.7 to fix the vulnerability.

  • Parallax Scroll
    • Cross-Site Scripting (XSS) reported by Adam Robinson. In the Parallax Scroll (aka adamrob-parallax-scroll) plugin before 2.0 for WordPress, includes/adamrob-parralax-shortcode.php allows XSS via the title text. (“parallax” has a spelling change within the PHP filename.)
      • WP Security recommendation: immediately upgrade to version 2.1 to fix the vulnerability.

  • Simple Social Buttons
    • BYPASS reported by Luka Šikić (WebARX). Improper application design flow, chained with lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table.
      • WP Security recommendation: immediately upgrade to version 2.0.22 to fix the vulnerability.


Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities. WP Security compromised by plugins from Automattic, WPMU DEV and Codecanyon.

  • WooCommerce
    • Stored Cross-Site Scripting (XSS) reported by Zhouyuan Yang of Fortinet’s FortiGuard Labs. WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. It is caused by inadequate filtering on the image caption.
      • WP Security recommendation: immediately upgrade to version 3.5.5 to fix the vulnerability.

  • Forminator
    • Unauthenticated Persistent XSS via polls reported by Tim Coen. Custom fields of a poll are not properly encoded when showing results of a poll, leading to persistent XSS.
    • Authenticated Blind SQL Injection: Delete Submission reported by Tim Coen. The action of deleting submissions is vulnerable to blind SQL injection. An attacker can exploit this to extract data from the database.
    • Self-XSS reported by Tim Coen. When uploading a file in a form, the filename is inserted into the DOM, leading to XSS.
    • Tab Napping reported by Tim Coen. The website input of a form does not use the noreferrer and noopener rel attributes and is thus vulnerable to tab napping.
    • CSV Injection reported by Tim Coen. The export feature is vulnerable to CSV injection. An attacker could inject malicious data via form submissions which may lead to the disclosure of information when exported and viewed with a spreadsheet program.
      • WP Security recommendation: immediately upgrade to version 1.6 to fix all the vulnerabilities.

  • WP Cost Estimation
    • Arbitrary File Upload and Delete reported by Chris (@_FireFart_). The workflow for exploiting an arbitrary file delete flaw is usually the same: Delete the vulnerable site’s wp-config.php file. With no database configuration, WordPress assumes a fresh install is taking place. The attacker is then free to connect the site to their own remote database, log in as an administrator, and upload backdoors through the dashboard.
    • Upload Directory Traversal reported by Chris (@_FireFart_). Unfortunately, only forms created in the patched version would have an associated randomSeed value stored in the database. Forms which existed prior to the patch, which would certainly be the case for the majority of users, had an empty randomSeed value. This empty value does nothing when appended to the $formSession path, which leaves these forms vulnerable.
      • WP Security recommendation: immediately upgrade to version 9.644 to fix both vulnerabilities.



Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

Do you have any concerns with WP Security? Leave your thoughts in the comments below!

Related Posts